Introduction
The CoreOne Authentication Services uses OpenID Connect as the default protocol. While using this protocol, you are asked to choose one or multiple allowed authentication flows for each of the clients that you are registering. Oftentimes this can be confusing to administrators and developers alike, so this page aims to clarify all the questions you might have.
First off all we need to clarify the naming:
Available Flows
Authorization Code Flow
The authorization code flow allows you to request an authorization code
that will be sent front-channel (the web-browser, Android app,…). From there, the front-channel can send the authorization code
to the server-side, where the authorization code
can be exchanged for an identity token
by calling the authorization endpoint.
...
Info |
---|
PKCE will be mandatory with OAuth 2.1, so it’s a good practice to already use it wherever you can. |
Implicit Flow
With the implicit flow, you are sending the identity token
directly to the front-channel (the web-browser, Android App,…). That means that the front-channel is in possession of the identity token
. For some applications, mostly web-applications, this is convenient as all the data from the token is directly accessible within the browser. But with convenience comes danger, as the identity token
is present in the browser. To minimize the risk, the CoreOne Suite Authentication Service requires a nonce
by default. But this must be checked by the client library as well.
Hybrid Flow
This flow allows both previous flows to be active at the same time.
Which one should I use?
The general consent here is to use authorization code flow with PKCE wherever possible. In most cases this is possible but this depends on the used library off the application. Developer usually do not have to implement OpenID Connect themselves. For some languages and frameworks like .NET there is built in support for OIDC and the developer simply has to configure it. For other languages like PHP there is no built in support and a developer can use one of the many available libraries. So there is a chance that this library is not supporting the authorization code flow with PKCE. If so, you should try to either use a different library or be aware of the risks that are attached to it.
...